Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.
Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.
We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.
Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.
As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.
Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.
 Please reference Chapter 1 in Volume 1 of the CISO Desk Reference Guide for a discussion on the role of the FTC.
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.